Hello everybody, I sure hope this is relevant for the list.
I have been using IPFW and PF in FreeBSD 5.4 for some time, because I like PF's NAT and ftp-proxy, but I can't live without pipes. While giving me joy, this combination also results in some strange behaviour. In the default configuration (i.e. firewall_enable and pf_enable="YES" in rc.conf) ipfw loads first and pf last, which has the great advantage of seeing untranslated packets in ipfw. When combining ipfw + dummynet + pf, some strange behaviour occurs, due to the fact that dummynet reinjects the packets into ip_input(). The path of incomming packets looks like this: wire -> pf -> ipfw -> dummynet -> pf -> ipfw -> kernel. 1) rdr rules to localhost (required for ftp-proxy etc.) which go through pipes fail, because ip_input() drops 127/8. 2) pass log rules make packets appear twice on pflog. Other issues may exist. I believe that the single solution would be something like in the pre-PFIL times, when ip_input() contained a jump directly to ipfw, and the packet was processed from where it left. However, this is pretty hard to implement in PFIL. Any ideas? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
